summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* cve-check.bbclass: Fix dependenciesJussi Kukkonen2017-02-151-1/+1
| | | | | | | | | | | | | | With recipe-specific sysroots the cve_check task must depend on cve-check-tool-native:do_populate_sysroot to get the cve-check-tool binary into the recipe sysroot. A normal DEPENDS isn't used to avoid cyclic dependencies. (From OE-Core rev: bd60b1018bc0304bc928701e6d1090c8b1223616) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-161-23/+23
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override the product nameRoss Burton2016-12-131-1/+5
| | | | | | | | | | | Add a new variable CVE_PRODUCT for the product name to look up in the NVD database. Default this to BPN, but allow recipes such as tiff (which is libtiff in NVD) to override it. (From OE-Core rev: ba330051570a4c991885ee726cb187e0c911bd4f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: CVE-2014-2524 / readline v5.2André Draszik2016-11-151-1/+1
| | | | | | | | | | | | | | | | | Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove RM_OLD_IMAGE, it's no longer usefulJoshua Lock2016-10-151-2/+0
| | | | | | | | | | | | | | | | Since the move to put image deployment under sstate control in d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically removed before a new image is deployed (the default behaviour of the sstate logic). RM_OLD_IMAGE is therefore no longer required to provide this behaviour, remove the variable and its users. (From OE-Core rev: 93631befe8b962bf99524746b49f4ebca336175c) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Add classMariano Lopez2016-09-161-0/+267
This class adds a new task for all the recipes to use cve-check-tool in order to look for public CVEs affecting the packages generated. It is possible to use this class when building an image, building a recipe, or using the "world" or "universe" cases. In order to use this class it must be inherited and it will add the task automatically to every recipe. [YOCTO #7515] Co-authored by Ross Burton & Mariano Lopez (From OE-Core rev: d98338075ec3a66acb8828e74711550d53b4d91b) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>